The scope and responsibilities of an information security professional are diverse, and afford a great deal of responsibility and trust in protecting the confidentiality, integrity, and availability of an organization's information assets. The services provided by an information security professional are critical to the success of an organization and to the overall security posture of the information technology community. Such responsibilities place a significant expectation on certified professionals to uphold a standard of ethics to guide the application and practice of the information security discipline.

A professional certified by GIAC acknowledges that such a certification is a privilege that must be earned and upheld. GIAC certified professionals pledge to advocate, adhere to, and support the Code of Ethics. It is not enough for information security professionals to simply "do the job". We must hold ourselves and our discipline to the highest standards of ethical and professional conduct.

GIAC customers and certified professionals who violate any principle of the Code may be subject to disciplinary action by GIAC. Sanctions include, but are not limited to:

Revocation of certifications and/or forfeiture certification attempts

GIAC/SANS participation ban

Reporting of violation to management and/or other certifying organizations

The following GIAC Code of Ethics was developed through the consensus of the GIAC Advisory Board members and GIAC management.

Respect for the Public

I will accept responsibility in making decisions with consideration for the security and welfare of the community.

I will not engage in or be a party to unethical or unlawful acts that negatively affect the community, my professional reputation, or the information security discipline.

Respect for the Certification

I will not share, disseminate, or otherwise distribute confidential or proprietary information pertaining to the GIAC certification process.

I will not use my certification, or objects or information associated with my certification (such as certificates or logos) to represent any individual or entity other than myself as being certified by GIAC.

Respect for my Employer

I will deliver capable service that is consistent with the expectations of my certification and position.

I will protect confidential and proprietary information with which I come into contact.

I will minimize risks to the confidentiality, integrity, or availability of an information technology solution, consistent with risk management practice.

Respect for Myself

I will avoid conflicts of interest.

I will not misuse any information or privileges I am afforded as part of my responsibilities.

I will not misrepresent my abilities or my work to the community, my employer, or my peers.

Personal Accountability to the Code of Ethics

Individuals may only make claims regarding their GIAC certification status with respect to the scope of specific certifications they have earned. Individuals may not use the certification or their certification status in such a manner as to mislead others, misrepresent unauthorized information or bring the certification body into disrepute.

If there are any matters affecting a certified individual's ability to continue to fulfill the competencies associated with a specific GIAC certification they hold, the certified individual is required under the code of ethics to inform GIAC without delay by emailing ethics@giac.org with specific information.

In the event that an individual's certified status is withdrawn for any reason, the person must refrain from use of all references to a certified status.

Exam Ethics

If GIAC detects any exam anomalies before, during or after a GIAC exam attempt, GIAC has the right to investigate, apply sanctions, and void certification results. GIAC also reserves the right to require the candidate to retest under formal proctored conditions.

GIAC strives to maintain the highest ethical standards. The GIAC Ethics Council, with an international composition, is elected from the GIAC Advisory board and acts as an independent committee regarding ethical matters that may arise in matters of GIAC certification, use of the GIAC credentials and ethical conduct of GIAC certification holders. The primary functions of the Council are to:

Provide investigative functions and recommendations to the GIAC Director concerning the enforcement of GIAC's Code of Ethics

Provide advice and counsel to the GIAC Director regarding ethical issues, as requested, and recommend appropriate actions the organization may want to evaluate

Provide confidential advice to the GIAC membership at-large, assisting members with ethical questions and concerns and reaching out to members whose companies may be involved in publicly-announced ethical situations

Review the GIAC Code of Ethics annually to ensure it is addressing the needs of the membership and profession

Unified Framework of Professional Ethics for Security Professionals

At the present time the GIAC Ethics Council upholds the GIAC Code of Ethics. However, in early 2007 the GIAC Ethics Council joined with other security organizations to formulate a unified code of ethics for the security industry. The GIAC Ethics Council sees this work as an important milestone in achieving increased recognition for the security profession and is proud to be actively involved in this initiative.

The GIAC organization takes ethics very seriously. We are committed to enforcing our Code of Ethics, and have formal procedures that allow fair and objective review of allegations and evidence of violations to the GIAC Code of Ethics. The GIAC Ethics Council has the responsibility of formally reviewing any charges and evidence of ethics violations. The GIAC Ethics code is available at https://www.giac.org/about/ethics/code

Complaint Submission

Any GIAC member, or member of the public who witness or suspect a violation of GIAC's Code of Ethics, may submit a written complaint to the GIAC Ethics via our online complaint form. The complaint must include the following at a minimum:

A detailed description of the facts known and circumstances relevant to the complaint

The Complainant's source(s) of information, the names, addresses, phone numbers and other contact information for and of witnesses and other knowledgeable individuals as known.

Any and all supporting information or evidence

The section or sections of the GIAC Code of Ethics violated

Each complaint will be reviewed for completeness and forwarded to the GIAC Ethics Council to initiate the review process. If not enough information is present to initiate a review, the form will be returned to the complainant requesting more information.

If enough corroborating evidence is available to support a thorough
investigation, the identity of the accuser will not be necessarily divulged
to the individual being investigated. If the investigation relies more
heavily on testimony from a single source or the evidence presented
obviously implicates the identity of the accuser, it may not be possible for
the accuser to remain unidentified.

Ethics Violation Review Process

The investigative process is initiated when the Director of GIAC requests the investigation of a potential misconduct or when the Director is in receipt of a written complaint alleging misconduct.

The Ethics Council will solicit details in writing from the individual being investigated as well as any others who may be able to provide corroborating or exculpatory information. After all solicited information has been reviewed the Council may request further clarification as required.

On completion of its investigation, the Ethics Council will make a written report to the Director recommending whether the complaint should be upheld, and the recommended course of discipline. The written report will be communicated to the Director for review and possible further action.

If a Council member or members have a strong opinion against the majority decision of council then a dissenting opinion may also be written and provided to the Director.

Appeal Process

Individuals found to be in violation may file an appeal within 30 days of the notice of decision, stating the specific grounds for appeal.

The appeal will be conducted by the GIAC Appeals Committee, who will review the details of the original investigation in addition to the appeal to determine if the appeal has merit. The GIAC Director will notify the appealing party regarding the outcome of the Appeal, and the decision will be final.